Exposing cardholder information by imprinting this information on receipts is the Russian Roulette of the credit industry. It’s risky, foolish and potentially devastating: if not immediately, then probably later.

For the cardholder, the maximum immediate monetary damage is $50. Problems resulting from identity fraud, credit holds, and card reissuance can be serious, but consumers react to what’s happening today, and generally don’t become concerned about something as seemingly-innocent as a receipt until it does serious damage. Thus, there’s no outcry from this sector.

For the businesses involved, problems caused by imprinted receipts are simply costs that are spread around – akin to shoplifting, pfishing, and other fraud.

Banks mitigate their losses by refusing to honor the sale, but they can’t avoid the operational costs of investigation processing and documentation, tie-ups in cardholder credit, card reissuance, etc.

As usual, the heaviest burden falls on the merchant. A fraudulent transaction caused by an imprinted receipt sets in motion an investigation where the merchants has to spend time with the issuer and the bank, loses the merchandise, and forfeits the sale. All with virtually no recourse. The extent of damage is unknown, because there are no definitive national numbers on how many merchants continue to use imprinted drafts as primary receipts, but informal surveys indicate the problem is substantial, and, like all other forms of credit mischief, growing.

Are imprinted receipts a component of identity theft? Others have suggested, and I agree, that the stealing of cardholder account names and expiration dates alone doesn’t enable ID theft. It’s just one tool among several that are needed.

Criminals (fortunately) are lazy, relying more on brute force than brains. Tightening security against hackers with better network protection, and enhancing merchant site security has put formidable obstacles in their path. The response of the tech-savvy criminal sector has been to use multiple computers to attack a site and expose itself – a technique which had some success until electronic countermeasures – better obstacles - were devised.

Now, defeating security systems is more difficult, and takes longer - if it can be accomplished at all. So, criminals are left with a conundrum: invest a lot of time with possibly no payoff, or return to the time-honored tradition of dumpster diving. Human nature, at least at this level, says go for the easier target. And that’s what’s occurring.

This reality begs three questions How many merchants are still advertising cardholder data via imprinted sales drafts? How much fraud can we eliminate with drafts that do not contain this information? And why, if we can get the latter with no increase in expense, and no operational changes, doesn’t the financial industry, if not the regulatory agencies, mandate it?

Protecting cardholder information is in everyone’s best interest. Financial factors aside, the merchant wants to be perceived in the community as a responsible party who takes security - and privacy - (another hot button issue) seriously. From a selling standpoint, the bank or ISO also wants to be viewed as a provider of products or services that protect – not a contributor to a problem, or source of personal risk.

Knowledgeable consumers pay attention to receipts, as do their employers, who often get those receipts as reimbursements for business expenses, or as receipts from corporate purchasing cards. Neither wants cardholder information put at risk. The issue is truly one of awareness, because merchants have the option: truncated sales drafts that do not reveal cardholder information, and cost the same as conventional sales drafts, are available.

Do we need a law to close this gaping security hole? Current state and federal laws, written in the previous century, exclude imprinted sales drafts, because there was no viable alternative. And, at the time these laws were written, ID theft was in its infancy, and not regarded as a major issue.

We’ve implemented many costly, high-tech procedures to assure greater security. Now the big hole - big enough to drive a (stolen) truck through, is the non-truncated receipt. It has become, once again, the path of least resistance.

Like corporate cost savings, all the “easy” steps to improve security, (and many of the hard ones), were implemented long ago. What’s left is small but critical steps that can make a real difference now. And this step, unlike all those that preceded it, has no additional expense, no new training to do, and no downside.

Biff Matthews is President of Thirteen Inc, the parent company of CardWare International. He is one of 12 founding members of the ETA, serving on its board, advisory board and committees. (740) 522-2150.